import os,sys,re,time


# add your own if you want
list_unsafecalls= [
       #====== System/Proc Calls ========
       "system",
       "eval",
       "exec",
       "fputs",
       "fopen",
       "popen",
       "shell_exec",
       "escapeshellcmd",
       "escapeshellarg",
       "proc_close",       
       "proc_get_status",  
       "proc_nice",        
       "proc_open",        
       "proc_terminate"    
       ]
list_db_connections = [
       #====== Database Connections ========
       "odbc_connect",
       "odbc_pconnect",
       "mysql_connect",
       "mysql_pconnect",
       "mysql_select_db",
       "oci_connect",
       "pg_connect",
       "db2_connect",
       "cubrid_connect",
       "dbplus_open",
       "dbase_open",
       "filepro_retrieve",
       "fbsql_connect",
       "fbsql_connect",
       "ifx_connect",
       "ingres_connect",
       "maxdb",
       "Mongo",
       "msql_connect",
       "mssql_connect",
       "ovrimos_connect",
       "px_new",
       "sqlite_factory",
       "sybase_connect",
       "sqlsrv_connect",
       "TokyoTyrant"
       ]

list_simple_SQL = [
       #====== Simple SQL Statements ========
       "\"select ",
       "\"insert ",
       "\"update "]
# Danger Will Robinson

list_serialisation = [
       #====== Serialisation Statements ========
       "serialize",
       "unserialize"
       ]

list_database_execute = [
        #====== Database Execute ( NON-PREPARED ) Statements ========
        "odbc_exec",
        "cubrid_execute",
        "dbplus_sql",
        "ibase_query",
        "fbsql_db_query",
        "db2_exec",
        "ifx_query",
        "ingres_query",
        "maxdb_query",
        "msql_db_query",
        "mssql_query",
        "mysql_query",
        "oci_execute",
        "ovrimos_exec",
        "pg_query",
        "sqlite_exec",
        "sybase_query",
        "TokyoTyrantQuery"]
   


def info():
    print "[+] Quick and Dirty PHP vulnerability scanner by op7ica (Y) v2.1"
    print "[+] Will search PHP code for some dirty functions"
    print "[+] contact : if you know me then give me a shout!"
    print "[+] usage: ./php_assess.py <DIR_PATH>"
    print "\n"
    

def help():
    print "[+] usage: ./php_assess.py <DIR_PATH>"
    
def search(filelist):
        for path in filelist:
        file = open(path, "r")
        for line in file:
            for elems in list_unsafecalls:
		if re.search(r'\b' + elems + r'\s*\(', str(line).lower()):
                    print "PATH : " , path
                    print "[+] Command found :", elems.strip("(")
                    print "\t[+] Code Line: " , line
            for elems in list_db_connections:
		if re.search(r'\b' + elems + r'\s*\(', str(line).lower()):
                    print "PATH : " , path
                    print "[+] Database Connection found :", elems.strip("(")
                    print "\t[+] Code Line: " , line
            for elems in list_database_execute:
		if re.search(r'\b' + elems + r'\s*\(', str(line).lower()):
                    print "PATH : " , path
                    print "[+] Database Execute Call found :", elems.strip("(")
                    print "\t[+] Code Line: " , line
            for elems in list_simple_SQL: # this can give a lot of false positives
                if "//" in str(line).lower() or "*" in str(line).lower(): # don't want comments from the code
                    pass
                else:
                    if elems in str(line).lower():
                        print "PATH : " , path
                        print "[+] SQL Query found :", elems.strip("(").strip("\"")
                        print "\t[+] Code Line: " , line
						
            if re.findall(r'(?i)(?<![a-z0-9])[a-f0-9]{32}(?![a-z0-9])', line) != []:
                print "PATH : " , path
                print "\t[+] MD5 hash found : " , line
                
                
    print "\n\n\t\t\t_________ Y _________"

def recursive(directory):
    file_list = list()
    for dirname, dirnames, filenames in os.walk(directory):
        for nm in filenames:
            path = os.path.join(dirname, nm)
            if str(path).endswith(".php"):
                file_list.append(path)
    search(file_list)

info()

try:
    recursive(sys.argv[1])
except:
    print "[!] add some path argument!"
	help()
    sys.exit()

